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AMENDMENTS TO THE CLAIMS 

For the convenience of the Examiner, all claims have been presented whether or not 
an amendment has been made. The claims have been amended as follows: 

1 . (Currently Amended) A method of detecting a computer virus, 
comprising: 

emulating computer executable code in a subject file; 

detecting at least one modification to a memory state of a computer system, wherein 
the at least one modification: 

is caused by the emulation of the computer executable code; and 

comprises insertion of a pointer to a viral exception handler, the pointer 

associated with a particular exception; 

compris e s installation of an e xc e ption handl e r or an int e rrupt handl e r. 

and 

detecting at least one instruction, wherein the at least one instruction forces the 
particular exception. 

2. (Currently Amended) The method of Claim 1, wherein: 

the at least one modification further comprises installation of an the viral exception 
handler^-and 

the — e mulat e d comput e r — e x e cutable cod e — compris e s — instructions — for — forcing a 
corr e sponding e xc e ption . 

3. (Currently Amended) The method of Claim 1, wherein the particular 
exception comprises at least one of the following: 

a divide-bv-zero arithmetic operation; 

an execution of an undefined computer instruction; and 

a memory access to an undefined or illegal memory address, further comprising: 
d e t e cting writing of a point e r to at l e ast on e predetermined address in a system 
memory for storing an exception handl e r point e r. 
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4. (Canceled) The method of Claim 1, further comprising: 

detecting installation, in a system memory, of a pointer to an exception handler. 
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5. 



(Currently Amended) 



Th e m e thod of Claim 1, wher e in: A method of 



detecting a computer virus, comprising; 

emulating computer executable code in a subject file; 

detecting at least one modification to a memory state of a computer system. 



the memory state comprises a particular interrupt associated with a 
legitimate interrupt handler; and 

the at least one modification: 

is caused by the emulation of the computer executable code; 

th e at l e ast on e modification comprises installation of as* a viral 
interrupt handler; and 

associates the particular interrupt with the viral interrupt handler 
instead of the legitimate interrupt handler; 

and 

detecting at least one the omulatod comput e r e x e cutabl e cod e compris e s instructions 
instruction, wherein the at least one instruction forces for forcing a corr e sponding the 
particular interrupt. 

6. (Currently Amended) The method of Claim 4- 5, further comprising: 
detecting writing of a pointer to at least one predetermined address in a system 

memory for storing an interrupt handler pointer. 

7. (Currently Amended) The method of Claim ± 5, further comprising: 
detecting use of a predetermined instruction to retrieve an address in a system 

memory corresponding to an interrupt descriptor table. 



wherein: 
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8. (Currently Amended) A program storage device readable by a 
machine, tangibly embodying a program of instructions executable by the machine to 
perform a method for detecting a computer virus, the method comprising: 

emulating computer executable code in a subject file; 

detecting at least one modification to a memory state of a computer system, wherein 
the at least one modification: 

is caused by the emulation of the computer executable code; and 

comprises installation of an a viral exception handler or aft a viral interrupt 

handler^ 

and 

detecting at least one instruction, wherein the at least one instruction forces: 
an exception associated with the viral exception handler; or 
an interrupt associated with the viral interrupt handler . 

9. (Currently Amended) A computer system, comprising: 
a processor; and 

a program storage device readable by a computer system, tangibly embodying a 
program of instructions executable by the processor to perform a method for detecting a 
computer virus, the method comprising: 

emulating computer executable code in a subject file; 

detecting at least one modification to a memory state of a computer system, wherein 
the at least one modification: 

is caused by the emulation of the computer executable code; and 

comprises installation of an a viral exception handler or an a viral interrupt 

handler. 
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10. (Currently Amended) A computer data signal embodied in a 
transmission medium which embodies a program of instructions executable by a computer for 
detecting a computer virus, comprising: 

a first segment comprising emulation code to emulate computer executable code in a 
subject file; and 

a second segment comprising detector code to detect at least one modification to a 
memory state of a computer system, wherein the at least one modification: 

is caused by the emulation of the computer executable code; and 
comprises installation of an a viral exception handler or an a viral interrupt 
handler. 

11. (Currently Amended) An apparatus for detecting computer viruses, 
comprising: 

an emulator component operable to emulate computer executable code in a subject 
file; and 

a detector component operable to detect at least one modification to a memory state of 
a computer system, wherein the at least one modification: 

is caused by emulation of the computer executable code; and 
comprises installation of an a viral exception handler or an a viral interrupt 
handler. 

12. (Previously Presented) The apparatus of Claim 11, wherein the detector 
component is further operable to monitor a system memory. 

13. (Currently Amended) The apparatus of Claim 11, wherein the at least 
one modification further comprises installation of an a viral exception handle r, and further 
comprising detecting at least one instruction, wherein the at least one instruction forces 
a particular exception associated with the viral exception handler . 
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14. (Currently Amended) The apparatus of Claim 13, wherein the 
emulat e d comput e r — executabl e — code compris e s — instructions — forcing — a corr e sponding 
particular exception comprises at least one of the following: 

a divide-bv-zero arithmetic operation; 

a memory access to an undefined or illegal memory address; and 
execution of an undefined computer instruction . 

15. (Currently Amended) The apparatus of Claim 4-± 13, wherein the at 
least one modification further comprises writing of a pointer to at least on e pr e d e t e rmin e d 
address in a system memory for storing an e xc e ption handl e r point e r the viral exception 
handler, the pointer associated with the particular exception . 

16. (Currently Amended) The apparatus of Claim 11, wherein the at least 
one modification further comprises installation of ae a viral interrupt handle r, and further 
comprising detecting at least one instruction, wherein the at least one instruction forces 
a particular interrupt associated with the viral interrupt handler . 

17. (Canceled) The apparatus of Claim 16, wherein the emulated computer 
executable code comprises instructions for forcing a corresponding interrupt. 

18. (Currently Amended) The apparatus of Claim 4-1- 16, wherein the at 
least one modification further comprises writing of a pointer to at l e ast on e pr e determined 
addr e ss in a syst e m m e mory for storing an the viral interrupt handle r, the pointer associated 
with the particular interrupt . 

19. (Currently Amended) The apparatus of Claim 4-1- 16, wherein the at 
least one modification further comprises use of a predetermined instruction to retrieve an 
address in a system memory corresponding to an interrupt descriptor table. 
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20. (Previously Presented) The method of Claim 1, wherein the computer 
system comprises a first memory component and a second memory component, and wherein 
access to the second memory component is more restricted than access to the first memory 
component. 

21. (Currently Amended) The method of Claim 20, wherein the viral 
exception handler or the viral interrupt handler attempts to modify the second memory 
component. 
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